MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 15

Intelligence 15 IOCs YARA 14 File information Comments

SHA256 hash:	368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e
SHA3-384 hash:	7cfbd4dcdc2413911a28de5900e450018bc0836be57a520cc5d8fd998e5abf443987484000cbd3e38a4c19da08c5955c
SHA1 hash:	ec0a12e5b6387c7654664a17abe53d349c5b9aef
MD5 hash:	2e0d25087de57454f6e4d6cff2be73c9
humanhash:	fourteen-east-kentucky-carolina
File name:	file
Download:	download sample
Signature	Amadey Create hunting rule
File size:	6'558'720 bytes
First seen:	2026-06-06 03:23:59 UTC
Last seen:	2026-06-09 08:42:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	753375591aacf62c29fa5daa215a217d (1 x Amadey)
ssdeep	196608:wD3InTc8GG0ecdPZbiL3n7D5eid1rKyT:YIn5gdhba3YiDmyT
TLSH	T19B66330727A6A4D3E06749B94B564888E32A7E730794DB7F5ED143270E2E4E05E0EF1B
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	Amadey dropped-by-gcleaner exe U UNIQ.file

Bitsight

url: http://158.94.209.95/service

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

amadey

ID:

File name:

_368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e.exe

Verdict:

Malicious activity

Analysis date:

2026-06-06 03:26:50 UTC

Tags:

stealer stealc auto svc amadey botnet auto-reg arch-doc

Link:

https://app.any.run/tasks/722a8d1f-1b7d-4945-8676-784b9334fbbd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69286/

Detection(s):

SecuriteInfo.com.Variant.Midie.181308.59872182.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2392f557b7bf261d615d03

Tags:

autorun emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Сreating synchronization primitives

Searching for synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file

Creating a window

Enabling the 'hidden' option for recently created files

Loading a suspicious library

Creating a file in the %AppData% directory

Launching a process

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Deleting a recently created file

Replacing files

Launching the default Windows debugger (dwwin.exe)

Setting browser functions hooks

Connection attempt to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending an HTTP POST request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Unauthorized injection to a browser process

Sending an HTTP GET request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm hacktool microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/6a2392ef099ef368af2347d0/reports/03381dbe-5c3a-47da-8ceb-ae15df87d3b6/overview

Verdict:

Malicious

Labled as:

Midie.Generic

Link:

https://www.hybrid-analysis.com/sample/368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-06-06T00:34:00Z UTC

Last seen:

2026-06-07T12:14:00Z UTC

Hits:

~1000

Detections:

VHO:Trojan-PSW.Win64.StealC.qs Trojan-PSW.Agent.TCP.C&C Trojan-PSW.Agent.HTTP.C&C Trojan-Dropper.Win32.Agent.sb Trojan-Banker.Win32.ClipBanker.sb VHO:HackTool.Win32.Convagent.gen Trojan.Win32.BypassUAC.sb Trojan.Win32.Reconyc.sb Trojan-Dropper.Win32.Dapato.sb Trojan.Win32.Zonidel.sb BSS:Trojan.Win32.Generic Trojan.MSIL.BypassUAC.sb Trojan-PSW.Win64.StealC.sb Trojan.Win64.Agent.smgaaz Trojan-PSW.Win32.Stealer.sb Trojan-Downloader.Win32.Dapato VHO:Trojan-PSW.Win32.Lumma.aclu Trojan-Spy.Stealer.HTTP.C&C Trojan-Dropper.Win64.Agent.sb Trojan.Win64.Agent.sb Trojan-Dropper.Win32.Demp.sb HEUR:HackTool.Win32.Inject.heur PDM:Trojan.Win32.Generic Trojan.Win32.Agent.xcegan Trojan.Win32.Agent.sb Trojan-Spy.MSIL.Stealer.hbc Trojan-PSW.Win64.StealC.qs Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Zegost.sb Backdoor.Win32.Androm.sb Trojan-Spy.Stealer.TCP.C&C Trojan-PSW.Win32.Pycoon.sb Trojan-Banker.Win32.ClipBanker.aiwo Trojan-Banker.ClipBanker.HTTP.C&C VHO:Trojan-Banker.Win32.Convagent.gen Trojan-PSW.Win32.Lumma.aclu Trojan-Dropper.Win32.Dorifel.sbd HEUR:Trojan-Banker.Win32.ClipBanker.gen VHO:Trojan-PSW.Win32.Stealer.gen Trojan.Win64.Agentb.sb Trojan.Win32.Inject.sb Trojan.Agentb.TCP.C&C Trojan.Win32.Vimditator.sb PDM:Trojan.Win32.Tasker.cust Trojan-PSW.Lumma.HTTP.Download HackTool.Multi.AmsiETWPatch.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.Agentb.gen HEUR:HackTool.Multi.AmsiETWPatch.gen NetTool.CopyRegistryDumpOutlook.TCP.C&C not-a-virus:AdWare.Win32.MultiPlug.sb

Link:

https://opentip.kaspersky.com/368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6299e618-b3d1-4e9e-9856-17ad26c1d10b

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e

Threat name:

Win64.Trojan.Amadey

Status:

Malicious

First seen:

2026-06-06 03:24:56 UTC

File Type:

PE+ (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g2gogurcpeoqb4v55lfrebvx6vejr5pyi7jjbkc4pt755depbuxa._file

Result

Malware family:

xtinyloader

Score:

10/10

Tags:

family:amadey family:stealc family:svcstealer family:xtinyloader botnet:amadey discovery downloader execution loader persistence spyware stealer trojan

Link:

https://tria.ge/reports/260606-dya39say7m/

Behaviour

Checks processor information in registry

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Downloads MZ/PE file

Detects SvcStealer Payload

Family: Amadey

Family: Stealc

Family: SvcStealer, Diamotrix

Family: XTinyLoader

Malware Config

C2 Extraction:

62.60.226.159
http://196.251.107.130/16b022998f754137b60a.php

Unpacked files

SH256 hash:

368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e

MD5 hash:

2e0d25087de57454f6e4d6cff2be73c9

SHA1 hash:

ec0a12e5b6387c7654664a17abe53d349c5b9aef

Link:

https://www.unpac.me/results/15ae3155-1b64-4271-99cc-5f62ff339adc/

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/368ce3522279/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	bumblebee_win_generic Create hunting rule
Author:	_kphi

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_CobaltStrike_f0b627fc Create hunting rule
Description:	Rule for beacon reflective loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe 368ce35222791d00f2bdeacb1206b7f54898f5f847d290a85c7cffde8c8f0d2e

(this sample)

Dropped by

Gcleaner

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/69286/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample